Swiftdiff options
| author | Tobias Markmann <tm@ayena.de> | 2015-10-19 14:23:42 (GMT) |
|---|---|---|
| committer | Swift Review <review@swift.im> | 2015-11-10 18:28:39 (GMT) |
| commit | ab651834c9088e34e6e66eb105e0fb855f1572c4 (patch) | |
| tree | 611d434fedcb69f6698af9dc4696e59fba9d97b7 /Swiften/Network/BOSHConnectionPool.h | |
| parent | 9b090062d0270d556c9253e0ddf767d7c5bbadbf (diff) | |
| download | swift-ab651834c9088e34e6e66eb105e0fb855f1572c4.zip swift-ab651834c9088e34e6e66eb105e0fb855f1572c4.tar.bz2 | |
Add support for client certificate authentication in BOSH
This allows to authenticate using SASL EXTERNAL over BOSH
using a client TLS certificate for the HTTPS connection of
the BOSH channel.
The implementation also enforces the HTTPS server certificate
of subsequent BOSH connections not to change.
This commit also removes TLSConnection and TLSConnectionFactory
as no code is using them.
Test-Information:
Tested against M-Link 16.3v6-0 on Debian 7.9 and Swift on
OS X 10.10.5. Verified working client certificate authentication.
Verified Swift not falling back to password-based authentication,
in case EXTERNAL is not allowed by the server over BOSH or
the client certificate is invalid.
Change-Id: Ia96bcac27cac9fc9261ed847c82c6328307bfbd1
Diffstat (limited to 'Swiften/Network/BOSHConnectionPool.h')
| -rw-r--r-- | Swiften/Network/BOSHConnectionPool.h | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/Swiften/Network/BOSHConnectionPool.h b/Swiften/Network/BOSHConnectionPool.h index eaef56c..df116ff 100644 --- a/Swiften/Network/BOSHConnectionPool.h +++ b/Swiften/Network/BOSHConnectionPool.h @@ -9,30 +9,41 @@ #include <vector> #include <Swiften/Base/API.h> #include <Swiften/Base/SafeString.h> #include <Swiften/Network/BOSHConnection.h> +#include <Swiften/TLS/CertificateWithKey.h> #include <Swiften/TLS/TLSOptions.h> namespace Swift { class CachingDomainNameResolver; class EventLoop; class HTTPConnectProxiedConnectionFactory; class HTTPTrafficFilter; - class TLSConnectionFactory; + class TLSContextFactory; + class CachingDomainNameResolver; + class EventLoop; class SWIFTEN_API BOSHConnectionPool : public boost::bsignals::trackable { public: BOSHConnectionPool(const URL& boshURL, DomainNameResolver* resolver, ConnectionFactory* connectionFactory, XMLParserFactory* parserFactory, TLSContextFactory* tlsFactory, TimerFactory* timerFactory, EventLoop* eventLoop, const std::string& to, unsigned long long initialRID, const URL& boshHTTPConnectProxyURL, const SafeString& boshHTTPConnectProxyAuthID, const SafeString& boshHTTPConnectProxyAuthPassword, const TLSOptions& tlsOptions, boost::shared_ptr<HTTPTrafficFilter> trafficFilter = boost::shared_ptr<HTTPTrafficFilter>()); ~BOSHConnectionPool(); + + void open(); void write(const SafeByteArray& data); void writeFooter(); void close(); void restartStream(); + void setTLSCertificate(CertificateWithKey::ref certWithKey); + bool isTLSEncrypted() const; + Certificate::ref getPeerCertificate() const; + std::vector<Certificate::ref> getPeerCertificateChain() const; + boost::shared_ptr<CertificateVerificationError> getPeerCertificateVerificationError() const; + boost::signal<void (BOSHError::ref)> onSessionTerminated; boost::signal<void ()> onSessionStarted; boost::signal<void (const SafeByteArray&)> onXMPPDataRead; boost::signal<void (const SafeByteArray&)> onBOSHDataRead; boost::signal<void (const SafeByteArray&)> onBOSHDataWritten; @@ -65,8 +76,13 @@ namespace Swift { std::string to; size_t requestLimit; int restartCount; bool pendingRestart; std::vector<ConnectionFactory*> myConnectionFactories; CachingDomainNameResolver* resolver; + CertificateWithKey::ref clientCertificate; + TLSContextFactory* tlsContextFactory_; + TLSOptions tlsOptions_; + std::vector<boost::shared_ptr<Certificate> > pinnedCertificateChain_; + boost::shared_ptr<CertificateVerificationError> lastVerificationError_; }; } |